Project

General

Profile

Bug #2846

exclude ca-certificate symlinks from overlay

Added by Timo Teräs about 5 years ago. Updated almost 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
Base libraries
Target version:
Start date:
04/17/2014
Due date:
% Done:

100%

Estimated time:
Affected versions:
Security IDs:

Description

etc/ssl/certs is populated with symlinks for the system wide ca-certificates in /usr/share/ca-certificates. As these are maintained by the trigger, they should not go to overlay - they get rewritten anyway and just take up extra space and clutter lbu diff.

Two solution options:
1. rename these symlinks to be ca-cert-*.pem and update the protected_path mask to exclude these
2. new apk-tools feature to exclude symlinks (that point outside) in certain path

#2 seems very tricky to get right. So I'd prefer solution #1.


Related issues

Related to Alpine Linux - Bug #2715: exclude autogenerated ca-certificates.crt from overlayClosed02/25/2014

Associated revisions

Revision af18a975 (diff)
Added by Timo Teräs almost 5 years ago

main/ca-certificates: rewrite update-ca-certificates in lua

fix also overlay protected paths to exclude generated links.
ref #2846

Revision 5f8b675b (diff)
Added by Timo Teräs almost 5 years ago

main/update-ca-certificates: fix few minor issues in lua version

also optimize and cleanup the lua code a bit too. ref #2846

Revision 3ec43469 (diff)
Added by Timo Teräs almost 5 years ago

main/ca-certificates: rewrite update-ca-certificates in lua

fix also overlay protected paths to exclude generated links.
ref #2846

(cherry picked from commit af18a975d8494f923d0ff3754dd250ffc641b6ef)

Revision 6590afe4 (diff)
Added by Timo Teräs almost 5 years ago

main/ca-certificates: fix few minor issues in lua version

also optimize and cleanup the lua code a bit too. fixes #2846

(cherry picked from commit 5f8b675b20728b5589dcd6216e0f154065aec7b8)

History

#1 Updated by Timo Teräs about 5 years ago

Seems the openssl hashed links are also in that directory. So it is not possible to mandate a format for the symlinks. :(

I think update-ca-certificates also should be re-written in lua for Alpine. It is relatively slow as shell script.

#2 Updated by Natanael Copa almost 5 years ago

  • Target version changed from Alpine 2.7.6 to Alpine 2.7.7

#3 Updated by Timo Teräs almost 5 years ago

  • % Done changed from 0 to 90

#4 Updated by Timo Teräs almost 5 years ago

For reference the lua update-ca-certificates is steadily 0.25s on my arm box (the shell script was 3-20 seconds depending on if the box was doing anything else). I believe it has less race conditions too.

However, the new code does not call update-ca-certificate hooks; I think the original calling convention is broken, and I doubt we have anyone using them... so I'm leaving it like that.

#5 Updated by Timo Teräs almost 5 years ago

  • Status changed from New to Resolved
  • % Done changed from 90 to 100

#6 Updated by Natanael Copa almost 5 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF